b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   More Actions Are Needed to Correct the\n                 Security Roles and Responsibilities Portion\n                of the Computer Security Material Weakness\n\n\n\n                                         August 26, 2010\n\n                              Reference Number: 2010-20-084\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                    HIGHLIGHTS\n\n\nMORE ACTIONS ARE NEEDED TO                             procedures and guidelines, 3) properly conduct\nCORRECT THE SECURITY ROLES AND                         compliance assessments to test IT procedures,\nRESPONSIBILITIES PORTION OF THE                        and 4) establish effective metrics for measuring\nCOMPUTER SECURITY MATERIAL                             compliance.\nWEAKNESS                                               The IRS uses two documents, IRS Roles\n                                                       Requiring an IT Security Training Curriculum\n                                                       and Internal Revenue Manual IT Security Roles\nHighlights                                             and Responsibilities, to document security roles\n                                                       and responsibilities. While each document is\nFinal Report issued on August 26, 2010                 used for different purposes, the Internal\n                                                       Revenue Manual acts as the official policy over\nHighlights of Reference Number: 2010-20-084            security roles and responsibilities. TIGTA\nto the Internal Revenue Service Chief                  identified that for 10 of 18 roles similar in both\nTechnology Officer.                                    documents, the manual did not include all\n                                                       responsibilities established in the training\nIMPACT ON TAXPAYERS                                    curriculum. The IRS also did not document an\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act          additional five IT security roles existing at the\nof 1982 requires that each agency conduct              IRS in the Internal Revenue Manual. Further,\nannual evaluations of its systems of internal          the IRS did not properly conduct compliance\naccounting and administrative controls and             assessments to verify and validate that IRS and\nsubmit an annual statement on the status of the        contract employees were executing their\nagency\xe2\x80\x99s system of management controls,                security responsibilities. Lastly, because the\nincluding identifying areas that can be                compliance assessment did not yield significant\nconsidered material weaknesses. The Internal           information, the IRS has yet to establish or\nRevenue Service (IRS) prematurely closed the           collect meaningful performance metrics for this\nsecurity roles and responsibilities component of       weakness area.\nits computer security material weakness. As a          WHAT TIGTA RECOMMENDED\nresult, the IRS cannot ensure all IRS and\ncontract employees will carry out their                TIGTA recommended that the Associate Chief\nresponsibilities to protect the confidentiality,       Information Officer, Cybersecurity, update the\nintegrity, and availability of taxpayer data.          Internal Revenue Manual to include all IT\n                                                       security roles in existence at the IRS, establish\nWHY TIGTA DID THE AUDIT                                recurring processes and communications to\nTIGTA initiated this audit at the request of the       ensure security roles and responsibilities are\nIRS to provide an independent validation               periodically reviewed and updated, and develop\nassessment of the effectiveness of the IRS\xe2\x80\x99            procedures to validate compliance that\nactions to correct the roles and responsibilities      incorporate supporting evidence of proper\ncomponent of the computer security material            execution of assigned responsibilities. In\nweakness. This audit was included in TIGTA\xe2\x80\x99s           addition, the roles and responsibilities\nFiscal Year 2010 Annual Audit Plan.                    component of the computer security material\n                                                       weakness should be reopened.\nWHAT TIGTA FOUND\n                                                       In their response to the report, IRS officials\nWhile the IRS has made strides in addressing           agreed with 3 of the 4 recommendations. The\neach set of corrective actions, our analysis           IRS believes the roles and responsibilities\nfound that the IRS did not effectively complete        component should be downgraded to a\nfour of its six corrective action objectives.          \xe2\x80\x9cSignificant Deficiency\xe2\x80\x9d rather than be reopened.\nSpecifically, the IRS did not 1) document all          TIGTA disagrees with the IRS\xe2\x80\x99 assessment and\ninformation technology (IT) security roles and         believes repeatable processes are not in place.\nresponsibilities in the Internal Revenue Manual,       As such, TIGTA does not agree with the\n2) develop and document day-to-day IT security         downgrade.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           August 26, 2010\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 More Actions Are Needed to Correct the Security\n                             Roles and Responsibilities Portion of the Computer Security Material\n                             Weakness (Audit #200920016)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n has effectively resolved the vulnerabilities relating to the information technology security roles\n and responsibilities component of the Internal Revenue Service computer security material\n weakness and implemented repeatable processes to ensure that this weakness does not recur.\n This review was included in the Treasury Inspector General for Tax Administration\n Fiscal Year 2010 Annual Audit Plan and is part of our statutory requirements to annually review\n the adequacy and security of IRS information technology. This audit also addresses the major\n management challenge of Security.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-8510.\n\x0c                                         More Actions Are Needed to Correct the\n                                       Security Roles and Responsibilities Portion\n                                      of the Computer Security Material Weakness\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Not All Information Technology Security Roles\n          Were Documented in the Internal Revenue Manual,\n          and Day-to-Day Security Procedures and Guidelines\n          Were Not Developed and Documented ........................................................Page 4\n                    Recommendation 1:........................................................Page 8\n\n          Compliance Assessments Were Not Properly Conducted\n          to Test and Validate Whether Security Roles and\n          Responsibilities Were Being Carried Out.....................................................Page 8\n                    Recommendation 2:........................................................Page 12\n\n          Effective Metrics for Measuring and Improving\n          Compliance With Information Technology Security Roles\n          and Responsibilities Were Not Established ..................................................Page 13\n                    Recommendation 3:........................................................Page 14\n\n                    Recommendation 4:........................................................Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 17\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 18\n          Appendix IV \xe2\x80\x93 Internal Revenue Manual Roles Missing\n          Responsibilities in the Training Curriculum.................................................Page 19\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 21\n\x0c           More Actions Are Needed to Correct the\n         Security Roles and Responsibilities Portion\n        of the Computer Security Material Weakness\n\n\n\n\n               Abbreviations\n\nFISMA    Federal Information Security Management Act\nGAO      Government Accountability Office\nIT       Information Technology\nIRM      Internal Revenue Manual\nIRS      Internal Revenue Service\nNIST     National Institute of Standards and Technology\nOMB      Office of Management and Budget\nTIGTA    Treasury Inspector General for Tax Information\n\x0c                                    More Actions Are Needed to Correct the\n                                  Security Roles and Responsibilities Portion\n                                 of the Computer Security Material Weakness\n\n\n\n\n                                             Background\n\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 1 requires that each agency conduct\nannual evaluations of its systems of internal accounting and administrative controls and submit\nan annual statement on the status of the agency\xe2\x80\x99s system of management controls. As part of the\nannual evaluations, agency managers identify control areas that can be considered material\nweaknesses. From its guidance on the Federal Manager\xe2\x80\x99s Financial Integrity Act, the\nDepartment of the Treasury and the Office of Management and Budget (OMB) define material\nweaknesses as \xe2\x80\x9cshortcomings in operations or systems which, among other things, severely\nimpair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare timely,\naccurate financial statements or reports,\xe2\x80\x9d or \xe2\x80\x9ccompromises the security of its information,\ninformation systems, personnel, or other resources, operations, or assets.\xe2\x80\x9d The OMB monitors\nprogress on material weaknesses declared by Federal Government agencies.\nAs a result of its Federal Manager\xe2\x80\x99s Financial Integrity Act evaluation and financial audit\nconducted by the Government Accountability Office (GAO) in 1997, the Internal Revenue\nService (IRS) designated computer security as a material weakness. Subsequent to this\ndeclaration, the IRS further categorized the computer security material weakness into nine\ncomponents, 2 one of which covered security roles and responsibilities. The IRS defined this\ncomponent as appropriately delineating security roles and responsibilities within functional\nbusiness, operating, and program units throughout the IRS. To help in its efforts to improve\ncomputer security, the IRS received a $90 million increase for its information technology (IT)\nand computer security material weakness initiative for Fiscal Year 2010.\nTo address this component of the computer security material weakness, the IRS developed a plan\nto formally track and monitor the following corrective actions for resolving the security roles and\nresponsibilities weakness.\n    1. Document IT security roles and responsibilities for IRS organizational units and for\n       individual roles or positions.\n\n\n\n\n1\n 31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, and 3512.\n2\n The computer security material weakness components include: 1) network access controls; 2) key computer\napplications and system access controls; 3) software configuration; 4) functional business, operating, and program\nunits security roles and responsibilities; 5) segregation of duties between system and security administrators;\n6) contingency planning and disaster recovery; 7) monitoring of key networks and systems; 8) security training; and\n9) certification and accreditation. The segregation of duties, security training, and certification and accreditation\ncomponents have been closed.\n                                                                                                             Page 1\n\x0c                                   More Actions Are Needed to Correct the\n                                 Security Roles and Responsibilities Portion\n                                of the Computer Security Material Weakness\n\n\n\n    2. Develop and document day-to-day IT security procedures and guidelines for the\n       execution and enforcement of security standards consistent with defined security roles\n       and responsibilities.\n    3. Conduct independent compliance assessments to verify and validate that employees in\n       IT security roles are properly executing their roles and responsibilities.\n    4. Conduct compliance assessments (i.e., social engineering tests) to revalidate that security\n       roles and responsibilities are being properly carried out.\n    5. Develop and implement an updated communications strategy targeted at reinforcing\n       IT security roles and responsibilities.\n    6. Establish and maintain collection and reporting of metrics 3 to assess the successful\n       operation of the policy and ensure continuous monitoring of program areas.\nThe IRS reported the completion of all action items in its plan in March 2009, and the Security\nServices and Privacy Executive Steering Committee approved the closure of the security roles\nand responsibilities component. The IRS requested that the Treasury Inspector General for Tax\nAdministration (TIGTA) provide an independent validation assessment of the effectiveness of\nthe IRS\xe2\x80\x99 actions to address the security roles and responsibilities component of the computer\nsecurity material weakness.\nThis review, which represents our validation efforts as requested by the IRS, was performed at\nthe IRS National Headquarters in New Carrollton, Maryland, in the Office of Cybersecurity\nduring the period September 2009 through April 2010. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n3\n Tools designed to facilitate decision making and improve performance and accountability through collection,\nanalysis, and reporting of relevant performance-related data.\n                                                                                                          Page 2\n\x0c                                   More Actions Are Needed to Correct the\n                                 Security Roles and Responsibilities Portion\n                                of the Computer Security Material Weakness\n\n\n\n\n                                     Results of Review\n\nWe reviewed available supporting documentation relating to the activities on the IRS\xe2\x80\x99 corrective\nactions for resolving the security roles and responsibilities component of the computer security\nmaterial weakness and found that the IRS had completed all actions for only two of six sets of\ncorrective actions presented on its corrective action plan. The IRS effectively developed and\nimplemented updated communications strategies. Specifically, the IRS increased security\nawareness through displays, electronic newsletters, literature, security surveys, and making\nsecurity staff available to answer employees\xe2\x80\x99 questions. The IRS also required all IRS and\ncontract employees to complete an annual information protection briefing, which highlights\ninformation security policies on roles and responsibilities. In addition, the IRS hired a consulting\nfirm to conduct social engineering efforts to revalidate security roles and responsibilities.\nWhile the IRS has made strides in addressing each set of corrective actions, we found that the\nIRS did not effectively complete four of its six corrective actions and that not all actions taken by\nthe IRS were effective in achieving its stated objectives. Figure 1 presents our results of each set\nof corrective actions.\n                         Figure 1: Assessment by Corrective Actions\n                                                        Documentation Documentation      Were the\n                                                          of Actions     of Actions     Documented\n    Corrective Actions Necessary to Support                Support        Support        Corrective\n    Closure of the Roles and Responsibilities             Corrective    Corrective        Actions\n     Component of the Computer Security                 Action Closure Action Closure     Taken\n               Material Weakness                           per IRS      per TIGTA        Effective?\n1. Document IT Security Roles and Responsibilities           Yes             No              No\n2. Develop and Document Day-to-Day IT Security               Yes             No              No\nProcedures and Guidelines\n3. Conduct Compliance Assessments to Verify and              Yes             No              No\nValidate Security Roles and Responsibilities\n4. Conduct Compliance Assessments (i.e., Social              Yes            Yes             Yes\nEngineering) to Revalidate Security Roles and\nResponsibilities\n5. Develop and Implement Updated Communications              Yes            Yes             Yes\nStrategy\n6. Establish Metrics to Measure Successful Operations        Yes             No              No\nSource: TIGTA Analyses and Interviews\n\n\n\n                                                                                              Page 3\n\x0c                               More Actions Are Needed to Correct the\n                             Security Roles and Responsibilities Portion\n                            of the Computer Security Material Weakness\n\n\n\nBecause of the lack of progress in completing corrective actions and implementing repeatable\nprocesses to ensure this weakness does not recur and the recent evidence of employee\nnoncompliance with security responsibilities, we believe the IRS prematurely closed the security\nroles and responsibilities component, which should have remained open as part of the computer\nsecurity material weakness. Specifically, the IRS did not:\n   \xe2\x80\xa2    Document all IT security roles and responsibilities in the Internal Revenue Manual (IRM)\n        and develop day-to-day IT security procedures and guidelines.\n   \xe2\x80\xa2    Properly conduct compliance assessments to test the implementation of day-to-day\n        IT procedures.\n   \xe2\x80\xa2    Establish effective metrics for measuring and improving compliance with IT security\n        roles and responsibilities.\n\nNot All Information Technology Security Roles Were Documented in\nthe Internal Revenue Manual, and Day-to-Day Security Procedures\nand Guidelines Were Not Developed and Documented\n\nEstablished security roles at the IRS were not included in the IRM\nThe IRS issued the IRM section IT Security Roles and Responsibilities in December 2005 (and\nsubsequently updated it in March 2007) to define and document IT security roles and\nresponsibilities for IRS and contract employees and to support the closure of one of its planned\ncorrective actions. In addition, the IRS developed and issued the training curriculum IRS Roles\nRequiring an IT Security Training Curriculum for employees performing in IT security roles\nwith significant security duties. This curriculum was issued in April 2008 and was last updated\nin February 2009. It also defined IT security roles and responsibilities and provided both a\ncurriculum for each role and the number of specialized IT security training hours required. The\nprimary difference in these two documents is that the training curriculum specifically identifies\nsecurity roles with significant security duties that require specialized training and the manual acts\nas the IRS\xe2\x80\x99 official policy over all security roles and responsibilities.\nAlthough many roles are similar in both documents, the IRS did not document all IT security\nroles existing at the IRS into the IRM. The following 5 of 28 roles identified in the training\ncurriculum are not included in the IRM. Employees performing in these security roles did not\nhave official security-related responsibilities as set forth in the IRM. As of December 2009, the\nIRS reported the following number of employees performing in these roles.\n   1.   Computer Audit Specialist (293 employees).\n   2.   Functional Workstation Specialist (222 employees).\n   3.   Technical Support Staff (855 employees).\n   4.   Management/Program Analyst (569 employees).\n\n                                                                                              Page 4\n\x0c                                More Actions Are Needed to Correct the\n                              Security Roles and Responsibilities Portion\n                             of the Computer Security Material Weakness\n\n\n\n   5. System Designer (41 employees).\nIn addition, we found that for 10 of 18 roles that are similar in both documents, the IRM did not\ninclude all of the responsibilities that were established in the training curriculum. These\n10 roles, along with the number of missing responsibilities, are as follows:\n   1.   Chief Information Officer (1 responsibility).\n   2.   Designated Accrediting Authority (1 responsibility).\n   3.   Information Systems Security Officer (2 responsibilities).\n   4.   Manager (2 responsibilities).\n   5.   Privacy Official (3 responsibilities).\n   6.   Program Management Official (4 responsibilities).\n   7.   Security Specialist (2 responsibilities).\n   8.   Senior Agency Information Security Officer (1 responsibility).\n   9.   Systems Operations Staff (3 responsibilities).\n  10.   Telecommunications Voice Specialist (5 responsibilities).\nAppendix IV provides the details of the missing responsibilities for these 10 roles. Because the\nIRS uses both documents for different purposes, we believe the differences between the two\ndocuments may cause confusion over what each employee\xe2\x80\x99s official security-related\nresponsibilities are.\nThe roles and responsibilities between these two documents were misaligned because the IRS\nCybersecurity organization did not effectively communicate within its own groups the intent of\neach document or define which document contained the authoritative list of security roles and\nresponsibilities for the IRS. During the course of our review, Cybersecurity organization\npersonnel stated that the IRM was developed to document IT security \xe2\x80\x9cpositions,\xe2\x80\x9d not \xe2\x80\x9croles\xe2\x80\x9d\nwith significant security duties that require specialized training, despite the title of the document\nand its use to support the closure of their corrective action. They also stated that not all\n\xe2\x80\x9cpositions\xe2\x80\x9d in the manual have significant IT security duties and did not require specialized\ntraining. In addition, Cybersecurity organization personnel stated that the Department of the\nTreasury policy does not require security \xe2\x80\x9cpositions\xe2\x80\x9d in the IRM and IT security roles in the\ntraining curriculum to align. Subsequently, the Cybersecurity organization indicated that the\nIRM is the IRS\xe2\x80\x99 authoritative policy for identifying baseline IT security roles and\nresponsibilities.\nIRS and contract employees performing in IT security roles for which the IRS has not\nestablished official responsibilities cannot be held accountable for compliance with official\nduties. In addition, the discrepancy between the IRM and training curriculum roles may cause\nmanagers to not properly identify employees and contract employees as performing in\nIT security roles, whether for completing required specialized training or for assessing\ncompliance with security responsibilities.\n\n\n                                                                                               Page 5\n\x0c                                   More Actions Are Needed to Correct the\n                                 Security Roles and Responsibilities Portion\n                                of the Computer Security Material Weakness\n\n\n\nTreasury-required and National Institute of Standards and Technology\n(NIST)-recommended security roles were not included in the IRM\nThe Department of the Treasury IT Security Program\xe2\x80\x99s Treasury Directive Publication 85-01\ndesignates specific officials with key security responsibilities to ensure the success of the\nagency\xe2\x80\x99s security program. The Treasury Directive states that, in order to protect the integrity,\nconfidentiality, and availability of information and information systems, individuals must\nunderstand their security-related roles and responsibilities. The Directive also identifies roles\nthat require annual specialized IT security training. We found that the IRM lacked the following\nfive key security roles that the Treasury Directive required:\n    \xe2\x80\xa2   IT Security Policy and Guidance Personnel.\n    \xe2\x80\xa2   Help Desk Personnel.\n    \xe2\x80\xa2   Incident Handler.\n    \xe2\x80\xa2   Quality Assurance Personnel.\n    \xe2\x80\xa2   Change Management Staff.\nIn addition, the NIST Special Publication 800-16, Draft Information Security Training\nRequirements: A Role and Performance-Based Model, 4 recommends specialized training for\nemployees performing in the following security roles, which were not evident in the IRS manual:\n    \xe2\x80\xa2   Technical Support Personnel.\n    \xe2\x80\xa2   Incident Response Coordinator/First Responders.\n    \xe2\x80\xa2   Freedom of Information Act Official.\n    \xe2\x80\xa2   Records Management Official.\n    \xe2\x80\xa2   Office of General Counsel Staff.\n    \xe2\x80\xa2   Source Selection Board Member.\n    \xe2\x80\xa2   Risk/Vulnerability Analyst.\n    \xe2\x80\xa2   Assessor.\n    \xe2\x80\xa2   Risk Executive.\n    \xe2\x80\xa2   Security Engineer.\n    \xe2\x80\xa2   Data Center Manager.\nOur analysis revealed IRS employees with similar responsibilities as the Department of the\nTreasury and NIST roles listed above. IRS employees who may have been performing in the\nvarious security roles listed above that were not yet formally documented in the IRM were\nsometimes identified with a more general security role category. For example, employees tasked\nwith writing IRS security policy were identified as security specialists when the IT Security\nPolicy and Guidance Personnel role would have been more appropriate. Also, employees tasked\n\n4\n NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing\nadequate information security for all agency operations and assets.\n                                                                                                        Page 6\n\x0c                               More Actions Are Needed to Correct the\n                             Security Roles and Responsibilities Portion\n                            of the Computer Security Material Weakness\n\n\n\nwith handling incidents were identified as security specialists when the Incident Handler role\nwould have been more appropriate.\nThis occurred because the IRS had not effectively completed its work to identify and document\nall existing security roles at the IRS, assign appropriate responsibilities to these roles, and\nidentify the employees performing in these roles. In addition, the IRS did not have an effective\nrepeatable process to ensure the manual is periodically updated to ensure all security roles in\nexistence at the IRS are documented. This should be done through an adequate recurring review\nof the IRS environment, Treasury regulations, and applicable NIST guidance.\nCybersecurity organization personnel advised us that the lengthy process the IRS undergoes to\nupdate the manual prevented them from incorporating all Treasury-required and appropriate\nNIST-recommended IT security roles since its last update. However, they also advised us that\nthe IRM is currently being updated and that Department of the Treasury and NIST roles are\nbeing considered. The Cybersecurity organization will establish recurring communications\nwithin its groups to ensure authorized IT security roles are aligned and consistent in both the\nIRM and training document.\nUntil the IRS has officially documented all security roles and responsibilities in existence at its\nagency and implemented a repeatable process to ensure roles and responsibilities are periodically\nreviewed and updated, it cannot ensure that all IRS and contract employees performing in these\nroles are complying with their appropriate security-related responsibilities. As a result, the IRS\nmay be at more risk to the latest security threats and vulnerabilities.\n\nDay-to-day IT security procedures and guidelines were not developed and\ndocumented\nThe IRS corrective action plan for resolving the roles and responsibilities component of its\ncomputer security material weakness required the IRS to develop and document day-to-day\nIT security procedures and guidelines for organizational units in executing and enforcing security\nstandards consistent with defined security roles and responsibilities. The IRS closed this\ncorrective action in February 2006. However, the sole artifact provided to us in support of this\nclosure was the IT Security Roles and Responsibilities manual. This manual is the baseline\npolicy on which specific day-to-day standard operating procedures and guidance for complying\nwith security responsibilities should be based. This baseline policy is broad in nature and does\nnot provide specificity of day-to-day operating procedures and guidance.\nThe Cybersecurity organization explained that personnel who worked on this corrective action\nwere no longer with the organization and did not leave current Cybersecurity organization\npersonnel with any further documentation. Recognizing this deficiency, the Cybersecurity\norganization sent out a request to the various business units to provide their standard operating\nprocedures for implementing role-based responsibilities. At the time of our review, the\nCybersecurity organization received documentation on day-to-day security procedures from one\nbusiness unit. The Cybersecurity organization plans to collect and develop a catalog of security\n                                                                                            Page 7\n\x0c                               More Actions Are Needed to Correct the\n                             Security Roles and Responsibilities Portion\n                            of the Computer Security Material Weakness\n\n\n\nrole-related procedures and guidelines, which will then be used to ensure the day-to-day\nprocedures align with IRS policy.\nUntil the IRS has documented and reviewed security role-related day-to-day procedures and\nguidelines in existence within its business units, it cannot ensure all employees performing in\nsecurity roles are complying with their security-related responsibilities consistent with IRS\npolicy.\n\nRecommendation\nRecommendation 1: The Associate Chief Information Officer, Cybersecurity, should:\n1) update the IRM to include all IT security roles in existence at the IRS (including roles from\nthe training curriculum, those required by the Department of the Treasury, and those\nrecommended by the NIST, as appropriate) and the related responsibilities for each of these\nroles; 2) establish recurring processes and communications to ensure security roles and\nresponsibilities in the IRM are periodically reviewed and updated and alignment between the\nIRM and the training curriculum is maintained; and 3) establish a process to periodically collect,\nupdate, and review security role-related procedures and guidelines to ensure day-to-day\nprocedures align with current IRS policy.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS will: 1) update the IRM to include all IT security roles and related responsibilities in\n       existence at the IRS; 2) perform a crosswalk of the IRM with the IRS Specialized IT\n       Security Training program annually and align any role differences; and 3) enhance its\n       existing process to periodically collect, update, and review security role-related\n       procedures and guidelines to ensure day-to-day procedures align with current IRS policy.\n\nCompliance Assessments Were Not Properly Conducted to Test and\nValidate Whether Security Roles and Responsibilities Were Being\nCarried Out\n\nCompleted assessments did not validate compliance with IRS security policy\nThe IRS corrective action plan for resolving the roles and responsibilities component also\nrequired the IRS to conduct compliance assessments to verify and validate that employees in\nIT security roles were properly executing their security responsibilities. The Cybersecurity\norganization conducted two surveys, in June 2008 and February 2009, on employee compliance\nwith their security roles and responsibilities. The Cybersecurity organization was in the process\nof reviewing the compliance survey results, as metrics data were not specific enough to\ndemonstrate a trend of improvement, when the roles and responsibilities component was\npresented to the Security Services and Privacy Executive Steering Committee for closure\napproval. Based upon actions taken on the roles and responsibilities component, and without the\n                                                                                            Page 8\n\x0c                               More Actions Are Needed to Correct the\n                             Security Roles and Responsibilities Portion\n                            of the Computer Security Material Weakness\n\n\n\nresults of the compliance surveys, the Security Services and Privacy Executive Steering\nCommittee approved the closure on March 25, 2009. The Cybersecurity organization\nsubsequently established new metrics and conducted two additional compliance surveys, in May\nand August 2009, yielding greater than 99 percent of employees being aware of their roles,\nhaving knowledge of polices and guidance over their roles, and appropriately performing duties\ndefined for their assigned roles. The Cybersecurity organization plans to continue conducting\nthese compliance surveys at least annually to ensure continued compliance with established\npolicies and procedures.\nHowever, we found that the assessments that the IRS conducted were not sufficient to validate\nemployee compliance with security responsibilities. The compliance surveys did not actually\ntest for compliance with security responsibilities. To \xe2\x80\x9ctest\xe2\x80\x9d selected employees, the\nCybersecurity organization developed questionnaires by reproducing the roles and\nresponsibilities listed in the 2005 version of the IRM. Questionnaires were sent to employees in\nadvance of the interviews. The employee responded to the questionnaire by simply answering\n\xe2\x80\x9cyes\xe2\x80\x9d or \xe2\x80\x9cno\xe2\x80\x9d to whether or not they complied with the responsibilities listed or by referring to\nother organizations or employees if they believed that they were not responsible for that task.\nThe Cybersecurity organization took no further action to validate employees\xe2\x80\x99 positive responses\nto ensure employees\xe2\x80\x99 compliance with their responsibilities. Also, referrals of responsibilities\nmade by employees to other organizations or employees were not verified or followed up on to\nconfirm compliance. Furthermore, surveyors conducting the compliance assessments did not\nhave adequate knowledge of the security areas to determine whether responsibilities were\ncorrectly referred and, therefore, relied solely on the oral testimony of employees\xe2\x80\x99 understanding\nof their roles and responsibilities.\nAsking employees whether or not they are responsible for various security-related activities may\nhelp instill knowledge and understanding of these responsibilities, but their responses do not in\nthemselves provide evidence of compliance with their responsibilities. The Cybersecurity\norganization subsequently advised us that the intent of the exercise was not to assess employee\ncompliance, but to assess the employee\xe2\x80\x99s knowledge of his or her security responsibilities. To\nremedy this difference, the Cybersecurity organization informed us that it is in the process of\nestablishing improved compliance assessment procedures that will produce measurable results.\nFor example, the Cybersecurity organization plans to explore using the results of scans run on\nsystems that determine the system\xe2\x80\x99s compliance with security settings for validating employee\ncompliance with security policy.\n\nNot all IRS and contract employees performing in IT security roles have been\nidentified\nWe also found that the delivery of compliance surveys was flawed because not all IRS and\ncontract employees performing in IT security roles were included in the population for\ncompliance testing. IRS business unit managers are responsible for identifying employees\n\n                                                                                           Page 9\n\x0c                                        More Actions Are Needed to Correct the\n                                      Security Roles and Responsibilities Portion\n                                     of the Computer Security Material Weakness\n\n\n\nperforming in IT security roles that require specialized training within their respective business\nunits. To identify their employees in IT security roles, managers are asked to review the role\ndescriptions in the IRS Roles Requiring an IT Security Training Curriculum to determine which\nbest matches their employees\xe2\x80\x99 responsibilities. Once identified, managers request that these\nemployees be added to the IT SEC Training Master List (Master List). The IRS uses the Master\nList to monitor the identified employees\xe2\x80\x99 progress towards completion of their required training\nhours and for reporting this information to the OMB in accordance with Federal Information\nSecurity Management Act (FISMA) 5 requirements.\nThe Cybersecurity organization relied solely on the Master List as its basis for employee\nselection when conducting the compliance surveys. Because the Master List contains only IRS\nemployees identified in IT security roles requiring specialized training, not all employees in\nexisting IT security roles specified by the IRM, required by the Department of the Treasury, or\nrecommended by the NIST were included in the population for compliance testing.\nThe IRM contained 11 additional IT security roles that the training curriculum did not contain.\nTherefore, IRS and contract employees performing in these roles were not assessed for\ncompliance or for completion of training requirements as needed. To determine the number of\nIRS employees performing in these 11 roles, we researched the IRS directory for similar titles.\nHowever, because the IRS directory position titles do not necessarily align with security role\ntitles, we were unable to identify, with absolute certainty, the number of IRS and contract\nemployees performing in these security roles. Based on our research, we estimated the number\nof IRS and contract employees potentially filling these roles as follows. 6\n      1.   Agency Head (1 employee).\n      2.   Certification Agent.\n      3.   Senior Management/Executive (65 employees).\n      4.   Business System Planner.\n      5.   Information Owner.\n      6.   Accrediting Official Designated Representative.\n      7.   Enterprise Architect (9 employees).\n      8.   Chief Financial Officer (1 employee).\n      9.   Physical Security Officer (45 employees).\n     10.   Personnel Security Officer (15 employees).\n     11.   Encryption Recovery Agent.\nCybersecurity organization personnel advised us that they are aware that relying on managers to\nidentify employees in security roles that require specialized training may cause some employees\nto not be on the Master List or included in the survey population because managers do not\n\n\n5\n    44 U.S.C. \xc2\xa7\xc2\xa7 3541 - 3549.\n6\n    A security role listed without a corresponding number indicates the security role did not align with a position title.\n                                                                                                                 Page 10\n\x0c                                  More Actions Are Needed to Correct the\n                                Security Roles and Responsibilities Portion\n                               of the Computer Security Material Weakness\n\n\n\nalways apply the role definitions consistently. The IRS is developing new techniques for\nidentifying employees performing in all existing security roles.\nFurther, we also found that the Master List did not include contract employees. The IRS is not\nrequired to provide specialized training to contract employees because the contract organization\nis responsible for its contract employees to have and maintain the necessary level of technical\nexpertise to accomplish the various tasks defined within the contracts. The IRS also advised us\nthat no after-hire formal compliance process exists that reports on the accuracy of a contract\nemployee\xe2\x80\x99s adherence to published policy and procedures. Instead, assurance for whether a\ncontract employee is performing his or her work in adherence to established policy and\nprocedure is the day-to-day responsibility of the IRS project manager and contract representative\noverseeing the contract employee\xe2\x80\x99s work.\nEven so, contract employees may be performing in IT security roles with the same\nresponsibilities as IRS employees and, therefore, should be identified in these roles and included\nin the population for selection in the compliance testing. We identified more than 1,350 contract\nemployees with system access that held titles related to security roles, such as system\nadministrators, database administrators, programmers, developers, security specialists, system\narchitects, system engineers, and web developers. These job titles may or may not align with\nIRS security roles.\nThe IRS has not yet established an adequate method to identify which contractors are performing\nin IRS security roles. However, the Cybersecurity organization informed us that it plans to\ndevelop a process to identify contract employees with system access for inclusion in the\ncompliance assessment population and to include instructions in the compliance assessment\nstandard operating procedures to incorporate contract employees as part of the compliance\nsurveys.\n\nEmployees selected for the compliance surveys were not measured against\ncurrent or role-based IT security responsibilities\nAs mentioned earlier, the IRS developed questionnaires by reproducing the roles and\nresponsibilities listed from the 2005 version of the IRM. Although a 2007 version had been\nissued, the IRS continued to use the older version 7 in order to facilitate consistent testing and\ntrending of results. However, we identified 6 roles in the 2005 version that were updated with\n25 additional responsibilities in the 2007 version. As a result, significant responsibilities were\nnot included in the questionnaires, such as the following two examples.\n    \xe2\x80\xa2   Security specialists must conduct security audits, verifications, and acceptance checks,\n        while maintaining documentation on the results.\n\n\n7\n The IRS used the older version of the IRM for all but four of its roles when conducting the compliance\nassessments. The four roles include Desktop Employee, Manager, Telecom Specialist, and System Administrator.\n                                                                                                     Page 11\n\x0c                                   More Actions Are Needed to Correct the\n                                 Security Roles and Responsibilities Portion\n                                of the Computer Security Material Weakness\n\n\n\n    \xe2\x80\xa2   Contracting Officers Technical Representatives must protect any personally identifiable\n        information that they have in their possession, whether it is paper-based or in electronic\n        form.\nIn addition, for compliance survey selected employees in roles that did not clearly translate to an\nIRM role, 8 Cybersecurity organization personnel conducted the compliance survey using generic\n\xe2\x80\x9cemployee\xe2\x80\x9d responsibilities covering basic security awareness and training instead of against\nspecific role-based responsibilities. This approach occurred because the IRS had not yet fully\ndeveloped or implemented authoritative security roles and responsibilities enterprise-wide nor\ndeveloped adequate and repeatable procedures to validate compliance security-related\nresponsibilities.\nUntil the IRS fully documents its security roles and related responsibilities, is able to identify\nIRS and contract employees performing in these roles, and develops adequate and repeatable\nprocesses to validate employees\xe2\x80\x99 and contractor employees\xe2\x80\x99 compliance with their\nsecurity-related responsibilities, the IRS cannot ensure that its security procedures and policies\nare being carried out as intended.\n\nRecommendation\nRecommendation 2: The Associate Chief Information Officer, Cybersecurity, should:\n1) develop an effective and repeatable method to identify all IRS and contract employees\nperforming in established IT security roles, 2) include all IRS and contract employees\nperforming in IT security roles in the population for potential selection in the compliance\nassessments, and 3) develop adequate procedures to validate compliance with current security\nrole-related responsibilities through compliance assessments that incorporate supporting\nevidence of proper execution of assigned responsibilities.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        IRS has an effective and repeatable method to identify all IRS employees performing in\n        established IT security roles. The IRS will incorporate contract employees in its existing\n        method for identifying IRS employees in established IT security roles by including them\n        in its yearly requests to IRS training coordinators asking for names of all IRS and\n        contract employees who perform security roles. The IRS will use this population of all\n        IRS and contract employees for potential selection in the compliance assessments. In\n        addition, the IRS will improve existing procedures to validate compliance with current\n        security role-related responsibilities through compliance assessments that incorporate\n        supporting evidence of proper execution of assigned responsibilities.\n\n\n\n8\n These roles are Computer Audit Specialist, Functional Workstation Specialist, Technical Support Staff,\nManagement/Program Analyst, and System Designer.\n                                                                                                          Page 12\n\x0c                                    More Actions Are Needed to Correct the\n                                  Security Roles and Responsibilities Portion\n                                 of the Computer Security Material Weakness\n\n\n\n         Office of Audit Comment: The TIGTA disagrees that the IRS has an effective and\n         repeatable method in place to identify all IRS employees performing in established IT\n         security roles. The referenced method is the process the IRS has used to identify\n         employees in IT security roles requiring specialized training, based on the IRS\xe2\x80\x99 IT\n         Security Training Curriculum document. As stated in our report, this method was not\n         sufficiently identifying all employees performing in the roles currently requiring\n         specialized training, nor was it sufficient to identify all employees in IT security roles\n         specified by the IRM, required by the Department of the Treasury, or recommended by\n         the NIST. For that reason, the IRS previously informed us that it was developing new\n         techniques for identifying these employees. We maintain that the IRS needs to improve\n         its identification methods of IRS and contract employees performing in all established IT\n         security roles to ensure an accurate population is maintained and compliance with\n         security responsibilities is properly assessed.\n\nEffective Metrics for Measuring and Improving Compliance With\nInformation Technology Security Roles and Responsibilities Were Not\nEstablished\nThe final step in the IRS corrective action plan for resolving the roles and responsibilities\ncomponent of its computer security material weakness required the IRS to establish and maintain\nthe collection and reporting of metrics to assess the successful operation of the policy regarding\nroles and responsibilities and ensure continuous monitoring of the program area. Because the\ncompliance assessments did not yield significant information, the IRS has yet to establish or\ncollect meaningful metrics.\nAs with the other incomplete corrective actions, the IRS informed us it plans to: 1) establish\nsufficient metrics that will allow analysis of key trends or themes that require improvement,\n2) communicate these issues to management, 3) use the metrics information to develop targeted\ncommunications, and 4) effect continued process improvement in role execution.\nThe IRS believes the actions taken thus far support the downgrade of the security roles and\nresponsibilities component from a material weakness to a control deficiency, and it has\nrepeatable processes in place that address the key issues and significant risks posed by the\noriginal finding. 9 The IRS also believes that its planned additional actions will further strengthen\nand enhance its existing repeatable processes.\nWe believe that the repeatable processes are not in place over this computer security material\nweakness component area. While we agree the actions planned, once implemented, would\n\n\n9\n During the course of this review, the IRS assessed the roles and responsibilities component as a control deficiency;\nbut in their official management response to the draft report, the IRS reassessed this component and increased its\nmateriality one level higher to a significant deficiency.\n                                                                                                            Page 13\n\x0c                                   More Actions Are Needed to Correct the\n                                 Security Roles and Responsibilities Portion\n                                of the Computer Security Material Weakness\n\n\n\nappear to fully address this weakness, we cannot support a downgrade of this component based\non planned actions. Because controls have not been fully implemented and repeatable processes\nare not in place, both the TIGTA and the GAO have continued to identify multiple instances in\nthe past year where employees have not performed their assigned responsibilities. Examples\ninclude systems administrators not complying with secure password requirements that led to\nservers insufficiently protected, security officers not promptly removing employee physical\naccess to restricted areas, employees not properly configuring system access that allowed\nunencrypted data to be transferred between centers, an employee executing the roles of both\ndatabase administrator and system administrator despite policy prohibiting this combination of\nsystem rights, 10 and Contracting Officers\xe2\x80\x99 Technical Representatives not performing day-to-day\ncontract oversight or verifying deliverables. 11\nUntil the IRS completes its official documentation of all security roles and related\nresponsibilities, identifies all IRS and contract employees performing in security roles, ensures\nall employees are equipped with appropriate training, implements adequate procedures to\nvalidate compliance with employee security responsibilities, and establishes adequate collection\nand reporting of metrics to improve roles and responsibilities implementation, the IRS cannot\nensure all IRS and contract employees will carry out their responsibilities to protect the\nconfidentiality, integrity, and availability of taxpayer data.\n\nRecommendations\nRecommendation 3: The Associate Chief Information Officer, Cybersecurity, should ensure\nadequate and accurate metrics are established that assess progress and can be analyzed to\ndevelop actions to further improve implementation of security roles and responsibilities policy.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        IRS\xe2\x80\x99 Modernization and Information Technology Services Cybersecurity organization\n        will establish memoranda of understanding/memoranda of agreements with IRS business\n        and functional units to ensure adequate and accurate metrics are established. The\n        memoranda will define metrics and establish measures. The Cybersecurity organization\n        will also work with the business and functional units to determine the required metric\n        information, format, and timelines for continuous collection and reporting and to effect\n        continued process improvement.\nRecommendation 4: The Director of Wage and Investment, Business Systems Planning, and\nthe Associate Chief Information Officer, Cybersecurity, as the Co-Chairpersons of the Security\nServices and Privacy Executive Steering Committee, should review the findings in this report\n\n10\n   Information Security \xe2\x80\x93 IRS Needs to Continue to Address Significant Weaknesses (Reference Number\nGAO-10-355, dated March 2010).\n11\n   Controls Over the Contracting Officer\xe2\x80\x99s Technical Representatives Workforce Were Ineffective, Resulting in\nSignificant Risks to the Government (Reference Number 2009-10-139, dated September 30, 2009).\n                                                                                                         Page 14\n\x0c                              More Actions Are Needed to Correct the\n                            Security Roles and Responsibilities Portion\n                           of the Computer Security Material Weakness\n\n\n\nand reopen the roles and responsibilities component of the computer security material weakness.\nThe roles and responsibilities component should remain open until corrective actions have been\nfully implemented and completed, repeatable processes are in place, and results can be validated.\n       Management\xe2\x80\x99s Response: IRS management disagreed with this recommendation.\n       After reviewing this report and the recurring processes and procedures in place, the IRS\n       believes this component of the computer security material weakness has dropped below\n       the threshold of materiality as defined by the GAO. The IRS considers this component in\n       a state of \xe2\x80\x9cSignificant Deficiency\xe2\x80\x9d and will maintain focus, with appropriate governance\n       oversight, on maturing these processes and procedures to comply with applicable best\n       practices and further reducing their overall risk.\n       Office of Audit Comment: The TIGTA disagrees with IRS\xe2\x80\x99 assessment that the roles\n       and responsibilities component of the computer security material weakness be\n       downgraded to a significant deficiency. As stated in our report, the lack of progress in\n       completing four of the six corrective actions and implementing repeatable processes to\n       ensure this weakness does not recur, along with the recent evidence of employee\n       noncompliance with security responsibilities, preclude us from agreeing to a downgrade\n       at this time.\n\n\n\n\n                                                                                         Page 15\n\x0c                              More Actions Are Needed to Correct the\n                            Security Roles and Responsibilities Portion\n                           of the Computer Security Material Weakness\n\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has effectively resolved\nthe vulnerabilities relating to the information technology security roles and responsibilities\ncomponent of the IRS computer security material weakness, and implemented repeatable\nprocesses to ensure that this weakness does not recur. Specifically, we:\nI.     Determined whether the actions taken to resolve the security roles and responsibilities\n       vulnerabilities were sufficient to close this component of the IRS computer security\n       material weakness.\n       A.     Reviewed prior TIGTA and GAO reports for Fiscal Years 2007\xe2\x80\x932009 and other\n              applicable IRS documentation regarding the security roles and responsibilities.\n              We determined whether the IRS satisfactorily completed prior TIGTA\n              recommendations relating to security roles and responsibilities and closed them in\n              the Joint Audit Management Enterprise System, if applicable.\n       B.     Determined whether the IRS policy for roles and responsibilities complies with\n              Federal and Department of the Treasury regulations.\n       C.     Determined whether the IRS has completed its own planned corrective actions for\n              resolving the roles and responsibilities component of the IRS computer security\n              material weakness.\n       D.     Determined whether the performance metrics established by the IRS are effective\n              for monitoring compliance and ensuring that the security roles and responsibilities\n              weakness will not recur.\n       E.     Interviewed appropriate IRS management as needed to determine causes for\n              deficiencies found in the IRS security roles and responsibilities program.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: Department of the Treasury regulations,\nGovernment guidelines, IRS policies, and the IRS computer security material weakness plan of\nactions. We evaluated these internal controls by interviewing management and reviewing\nsupporting documentation.\n\n                                                                                          Page 16\n\x0c                             More Actions Are Needed to Correct the\n                           Security Roles and Responsibilities Portion\n                          of the Computer Security Material Weakness\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director, Systems Security\nJody L. Kitazono, Audit Manager\nLouis Lee, Lead Auditor\nRichard Borst, Senior Auditor\nKasey Koontz, Auditor\n\n\n\n\n                                                                                     Page 17\n\x0c                           More Actions Are Needed to Correct the\n                         Security Roles and Responsibilities Portion\n                        of the Computer Security Material Weakness\n\n\n\n                                                                       Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Wage and Investment Division SE:W\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nDirector, Business Modernization Office, Wage and Investment Division SE:W:BMO\nDirector, Business Systems Planning, Wage and Investment Division SE:W:BMO:BSP\nDirector, Stakeholder Management Division OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison:\n       Chief Technology Officer OS:CTO\n\n\n\n\n                                                                                 Page 18\n\x0c                               More Actions Are Needed to Correct the\n                             Security Roles and Responsibilities Portion\n                            of the Computer Security Material Weakness\n\n\n\n                                                                                   Appendix IV\n\n          Internal Revenue Manual Roles Missing\n         Responsibilities in the Training Curriculum\n\nThe following roles defined in IRM 10.8.2 were missing responsibilities listed in the training\ncurriculum document. The discrepancies in these two documents may cause employees\nconfusion over their official security-related responsibilities.\n1. Chief Information Officer\n   \xe2\x80\xa2   Conducts training and awareness programs.\n2. Designated Accrediting Authority\n   \xe2\x80\xa2   The creation, maintenance, and execution of the plan of action and milestones.\n3. Information Systems Security Officer\n   \xe2\x80\xa2   Ensuring there is a current security plan and IT contingency plan for the assigned general\n       support system.\n   \xe2\x80\xa2   Promoting IT security awareness and assisting in the identification of personnel with\n       significant security responsibilities to receive both initial and refresher role-based\n       security training.\n4. Manager\n   \xe2\x80\xa2   Providing technical direction of or supervision over an employee or employees with\n       significant security roles, such as Security Specialist; System Administrator (responsible\n       for maintaining access controls or system security parameters), or Network Administrator\n       (responsible for maintaining secure configuration of a network).\n   \xe2\x80\xa2   Providing technical direction of or supervision over employees who ensure the\n       confidentiality, integrity, and availability of the network and its information resources.\n5. Privacy Official\n   \xe2\x80\xa2   Establishing and managing privacy policies and the Privacy Impact Assessment\n       processes/procedures.\n   \xe2\x80\xa2   Managing a centralized evaluation capability to oversee compliance with Unauthorized\n       Access policy and program.\n\n\n\n                                                                                            Page 19\n\x0c                               More Actions Are Needed to Correct the\n                             Security Roles and Responsibilities Portion\n                            of the Computer Security Material Weakness\n\n\n\n   \xe2\x80\xa2   Reporting on the progress of the IRS efforts being taken and making recommendations\n       for improving the effectiveness of the Unauthorized Access program to IRS\n       Management.\n6. Program Management Official\n   \xe2\x80\xa2   Ensures that the business impact of weaknesses are assessed and prioritized.\n   \xe2\x80\xa2   Ensures all certification and accreditation documents exist and are updated, including the\n       Privacy Impact Assessment.\n   \xe2\x80\xa2   Identifies business unit personnel in need of security training.\n   \xe2\x80\xa2   Escalates issues to appropriate parties as necessary.\n7. Security Specialist\n   \xe2\x80\xa2   Determining strategy and priorities.\n   \xe2\x80\xa2   Performing a role in business continuity planning.\n8. Senior Agency Information Security Officer\n   \xe2\x80\xa2   Oversees the submission of the formal FISMA reports and their supporting processes,\n       and also oversees IRS responses to TIGTA and GAO audits.\n9. Systems Operations Staff\n   \xe2\x80\xa2   Runs all backup and data maintenance tasks according to the systems\xe2\x80\x99 specific schedule.\n   \xe2\x80\xa2   Directly accounts for the security of all physical/mechanical aspects of the system and\n       coordinates any external interaction with the system, such as those involving customer\n       engineers/vendor technicians.\n   \xe2\x80\xa2   Keeps logs of the results of all scheduled system tasks and shares that information with\n       systems administration personnel to facilitate monitoring of the system.\n10. Telecommunications Voice Specialist\n   \xe2\x80\xa2   Voice messaging system applications, which includes adding, deleting, and modifying\n       users.\n   \xe2\x80\xa2   All circuitry ingression and egression at all facilities under his/her control.\n   \xe2\x80\xa2   Video applications (compressed and satellite).\n   \xe2\x80\xa2   Employee relocations, ensuring that all telephonic equipment is relocated correctly and\n       timely.\n   \xe2\x80\xa2   Monitoring the network system with authorized tools to ensure a healthy state.\n\n                                                                                         Page 20\n\x0c            More Actions Are Needed to Correct the\n          Security Roles and Responsibilities Portion\n         of the Computer Security Material Weakness\n\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 21\n\x0c   More Actions Are Needed to Correct the\n Security Roles and Responsibilities Portion\nof the Computer Security Material Weakness\n\n\n\n\n                                               Page 22\n\x0c   More Actions Are Needed to Correct the\n Security Roles and Responsibilities Portion\nof the Computer Security Material Weakness\n\n\n\n\n                                               Page 23\n\x0c   More Actions Are Needed to Correct the\n Security Roles and Responsibilities Portion\nof the Computer Security Material Weakness\n\n\n\n\n                                               Page 24\n\x0c'